We’ve just intercepted a currently circulating malicious spam campaign consisting of tens of thousands of fake ‘Export License/Invoice Copy’ themed emails, enticing users into executing the malicious attachment. Once the socially engineered users do so, their PCs automatically become part of the botnet operated by the cybercriminals behind the campaign.

Once executed, the sample starts listening on port 1581. It also marks its presence on the affected PCs, through the following Mutexes:Local{911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A}Local{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}Local{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}Local{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}Local{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}Local{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}Global{2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A}Global{B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A}Global{B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A}Global{D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A}Global{D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A}Global{0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A}Global{BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A}Global{32644819-7878-C989-11EB-B06D3016937F}Global{32644819-7878-C989-75EA-B06D5417937F}Global{32644819-7878-C989-4DE9-B06D6C14937F}Global{32644819-7878-C989-65E9-B06D4414937F}Global{32644819-7878-C989-89E9-B06DA814937F}Global{32644819-7878-C989-BDE9-B06D9C14937F}Global{32644819-7878-C989-51E8-B06D7015937F}Global{32644819-7878-C989-81E8-B06DA015937F}Global{32644819-7878-C989-FDE8-B06DDC15937F}Global{32644819-7878-C989-0DEF-B06D2C12937F}Global{32644819-7878-C989-5DEF-B06D7C12937F}Global{32644819-7878-C989-95EE-B06DB413937F}Global{32644819-7878-C989-F1EE-B06DD013937F}Global{32644819-7878-C989-89EB-B06DA816937F}Global{32644819-7878-C989-F9EF-B06DD812937F}Global{32644819-7878-C989-E5EF-B06DC412937F}Global{32644819-7878-C989-0DEE-B06D2C13937F}Global{32644819-7878-C989-09ED-B06D2810937F}Global{32644819-7878-C989-51EF-B06D7012937F}Global{32644819-7878-C989-35EC-B06D1411937F}Global{32644819-7878-C989-55EF-B06D7412937F}Global{DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A}Global{2E1C200D-106C-D5F1-DBC9-BE58FA349D4A}

It then phones back to the following C&C servers:190.202.83.105201.209.58.17679.184.18.4876.226.114.21778.131.50.19094.43.213.1794.240.232.1432.40.193.12489.123.209.123190.238.117.97114.26.96.221107.217.117.139188.121.218.120108.74.172.3987.10.213.1555.20.67.209199.30.90.8092.228.162.16390.156.118.14482.211.180.18283.29.15.3784.59.131.0188.169.204.22785.108.124.87108.220.162.134188.169.52.202190.5.76.3574.92.13.177107.193.222.10893.45.117.139